lib/encryptor.rb in encryptor-1.1.3 vs lib/encryptor.rb in encryptor-1.3.0

@@ -50,15 +50,26 @@
       options = default_options.merge(:value => args.first).merge(args.last.is_a?(Hash) ? args.last : {})
       raise ArgumentError.new('must specify a :key') if options[:key].to_s.empty?
       cipher = OpenSSL::Cipher::Cipher.new(options[:algorithm])
       cipher.send(cipher_method)
       if options[:iv]
-        cipher.key = options[:key]
         cipher.iv = options[:iv]
+        if options[:salt].nil?
+          # Use a non-salted cipher.
+          # This behaviour is retained for backwards compatibility. This mode
+          # is not secure and new deployments should use the :salt options
+          # wherever possible.
+          cipher.key = options[:key]
+        else
+          # Use an explicit salt (which can be persisted into a database on a
+          # per-column basis, for example). This is the preferred (and more
+          # secure) mode of operation.
+          cipher.key = OpenSSL::PKCS5.pbkdf2_hmac_sha1(options[:key], options[:salt], 2000, cipher.key_len)
+        end
       else
         cipher.pkcs5_keyivgen(options[:key])
       end
       yield cipher, options if block_given?
       result = cipher.update(options[:value])
       result << cipher.final
     end
-end
\ No newline at end of file
+end